This bug was fixed in the package apparmor - 3.0.4-2ubuntu2.3build2
---------------
apparmor (3.0.4-2ubuntu2.3build2) jammy-security; urgency=medium
* No-change re-build upload for the jammy-security pocket as part
of the preparation for addressing CVE-2016-1585 (LP: #1597017)
-- Steve Beattie <[email protected]> Tue, 27 Aug 2024
14:48:42 -0700
** Changed in: apparmor (Ubuntu Jammy)
Status: Fix Committed => Fix Released
** Changed in: apparmor (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1597017
Title:
mount rules grant excessive permissions
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Focal:
Fix Released
Status in apparmor source package in Jammy:
Fix Released
Bug description:
SRU Team; the packages for focal-proposed and jammy-proposed are
intended as security updates prepared by the Ubuntu Security team (and
have built in a ppa with only the security pockets enabled). However,
because the fix makes mount rules in apparmor policy be treated more
restrictively than they were prior to this update, we would like these
packages to gain more widespread testing.
Risk of Regression:
The update for this issue causes the apparmor parser, the tool that
translates written policy into the enforcement data structures used by
the kernel, to generate more strict policy for mount rules, like the
example below. They are not common in apparmor policy generally, but
can appear in policies written for container managers to restrict
containers, and thus can potentially break container startup.
The packages prepared for focal-proposed and jammy-proposed have
tested with the versions of snapd, lxc, libvirt, and docker in the
ubuntu archive, but container managers outside of the ubuntu archive
may run into issues, hence the need for testing and policy
adjustments.
Original Report:
The rule
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-
slave flag
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
